mailing list archives
Re: [NSE] Script Submission: HTTP NTLM Information Disclosure
From: Daniel Miller <bonsaiviking () gmail com>
Date: Fri, 07 Feb 2014 12:13:01 -0600
On 02/06/2014 02:55 PM, nmap user wrote:
Thanks for the feedback.
Attached is the revised code leveraging the
smbauth.get_host_info_from_security_blob() function where possible.
As for logging -- within IIS, the script event is logged as '401'
(Unauthorized), the same as if a web browser visited the page with
NTLM authentication enabled. When anonymous access is permitted to
the web server this request is simply logged as a '200' (since NTLM
auth is disabled).
Thanks for that. It looks like this may be a good candidate for the
default category. The script is looking great, too. I made a couple
minor changes and committed this in r32706.
1. I renamed the script to http-ntlm-info to match similar -info script
2. I expanded the base64 NTLM authentication blob so that folks can see
what they are actually sending (and possibly change it in the future
without redoing a packet capture). A cleaner alternative would be
replacing auth_blob with a call to smbauth.get_security_blob(), but
since that doesn't include the OS information (an older way of doing
it), I stuck with your well-tested string.
Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/